Various macOS and iOS apps were susceptible to a flaw in CocoaPods, an open-source dependency manager, as per a disclosure by E.V.A. Information Security on July 1. The issue has been fixed by EVA upon discovery, and no related attacks have been confirmed.
However, the incident is remarkable because the flaw remained unnoticed for an extended period, emphasizing the need for developers to be cautious with open-source libraries. It serves as a valuable lesson for developers and DevOps teams to assess any potential impact on their organization’s devices.
According to E.V.A., the vulnerability could have affected “thousands of apps and millions of devices.” Vulnerable CocoaPods pods were found in the documentation or terms of service of various apps from Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), Microsoft (Teams), TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and more.
E.V.A. notified CocoaPods of the vulnerability in October 2023, leading to a prompt patch.
“The CocoaPods team reacted swiftly and responsibly to address the vulnerabilities post disclosure,” mentioned E.V.A. Information Security.
CocoaPods-Originated Vulnerabilities
CocoaPods functions as a dependency manager for Swift and Objective-C projects, ensuring the authenticity of open-source components. E.V.A. Information Security stumbled across the vulnerabilities while conducting red team exercises for a client.
SEE: CISA advises utilizing memory-safe programming languages for open-source ventures.
E.V.A. outlined multiple causes for the vulnerabilities. Firstly, in 2014, CocoaPods shifted from GitHub to a “trunk” server, requiring pod owners to reclaim ownership manually. Over 1,800 “orphaned” pods were left unattended for a decade, potentially involving a risk where attackers could inject harmful content.
Secondly, attackers could exploit an insecure email validation method to execute malicious code on the “trunk” server, enabling manipulation or replacement of downloaded packages.
Thirdly, attackers could acquire account verification tokens by imitating an HTTP header and leveraging misconfigured email security tools. These tokens could then be used to alter CocoaPods server packages, paving the way for potential supply chain and zero-day attacks.
Strategies for Developers and DevOps Teams to Mitigate CocoaPods Issues
The CocoaPods vulnerabilities emphasize the importance for developers and DevOps teams to diligently manage dependency managers, which can serve as a weak link in the supply chain’s security. To address these concerns, developers and DevOps teams should review the open-source dependencies in their application code.
E.V.A. recommends:
- If using software reliant on abandoned CocoaPods packages, ensure synchronization of podfile.lock with all CocoaPods developers to maintain uniform package versions.
- Scrutinize dependency lists and package managers utilized in applications.
- Verify checksums of third-party libraries.
- Regularly scan external libraries, especially CocoaPods, for detection of malicious code or suspicious alterations.
- Keep software updated.
- Restrict use of abandoned or unmaintained CocoaPods packages.
- Exercise caution regarding the exploitation potential of widely utilized dependencies like CocoaPods.
About Author
